This topic describes multi-factor authentication (MFA) and guides you on how to enable MFA for the WSO2 Identity Server management console. By default, WSO2 Identity Server is shipped with username/password based authentication. You can further strengthen the security of this authentication by adding an additional authentication step to authenticate with basic authentication, FIDO, TOTP etc.

About multi-factor authentication

Due to increasing digital crimes and internet fraud in the world, people are highly concerned about the topic of online security. And it is obvious that traditional user ID and password login is not enough to secure the authentication. Processing speeds of CPUs have increased, so brute force attacks are a reality and dictionary attacks have become a common threat. GPGPU password cracking and rainbow tables have provided similar advantages to attackers.

Multi-factor Authentication (MFA) creates a layered defence and makes it more difficult for an unauthorized person to access a target such as a physical location, computing device, web service, network or a database. If one factor is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target.

Authentication factors in MFA relies on two or more independent credentials of the three categories.

Knowledge factors - Things only the user knows, such as passwords

Possession factors - Things only the user has, such as ATM cards

Inherence factors - Things only the user is, such as a fingerprint

With a combination of two or more factors from the above three, the user is authenticated. A basic example is when withdrawing money with an ATM card; the card is the possession factor and the pin number is the knowledge factor.

MFA with WSO2 Identity Server

WSO2 Identity Server allows configuring multi-step authentication where you can define an authentication chain containing different authenticators in different steps. You can convert this chain to a Multi-factor authentication chain by adding different factors of authentication to each step. For example, you can configure User-ID/ Password authentication as the first factor (knowledge factors) and then FIDO authentication as the second factor (possession factors).

WSO2 Identity Server has comprehensive support for multi-factor authentication, with authenticators available for SMSOTP, FIDO, MEPin and more.

There are some 2nd factor authenticators which should be followed by a Knowledge factors authenticators to figure out the user first. Ex: When you configure FIDO authenticator, it should not be configured as the 1st step. Instead, it should be followed by a 1st factor authenticator.

Configuring multi-factor authentication for WSO2 Identity Server

Start the WSO2 IS server and login to the management console.

Click Add under Service Providers on the Main tab. Enter a service provider name and click Register. Since the service provider is for the WSO2 Identity Server itself, in this tutorial the service provider is referred to as 'self'.

Select Manual Configuration and enter the following details. Click Register.

Issuer - carbonServer

Assertion Consumer URLs - https://localhost:9443/acs

Enable Response Signing - true

Expand Local and Outbound Authentication Configuration and select Advanced Configuration to configure multi-factor authentication. There are two types of multi-factor authentication that you can configure here.

Multi-option authentication: This can be configured by clicking Add Authenticator. Clicking this again will enable you to create another authentication option. These can be either local or federated authenticators.

Multi-step authentication: This is configured by clicking Add Authentication Step. Clicking this again will enable you to create another authentication step. These can be either local or federated authenticators.

Click Add Authenticator to add a Local Authenticator. You can choose the type of authenticator using the dropdown. Clicking Add Authenticator again will enable you to add a second local authenticator and configure multi-option authentication using two local authenticators. Alternatively, you can click Add Authentication Step and configure a Local Authenticator in one step by selecting the local authenticator from the dropdown and clicking Add Authenticator. You can do the same for the second step.

As an example for this scenario, basic and fido are used as the two authenticators. Basic authentication allows you to authenticate users from the enterprise user store while FIDO authenticates you externally.